Two days ago, ProtonMail released version 3.6. A number of new features were added in this release. The biggest one is long-awaited: two-factor authentication. Another new feature that interested me is ProtonMail’s new single password mode. Continue reading “ProtonMail Two-Factor and Single Password Mode”
Email is a service that we all rely on. Finding an email provider that promises a good balance of privacy, security, and convenience is a fraught proposition, however. As readers here doubtlessly know, I have huge privacy concerns around email. I hate giving out my real email address if possible, because it equates to attack surface (more on this later). I also hate using the same email for multiple services, but this creates major convenience problems. And I can’t store email with providers that either a.) dont’ store my data securely or b.) store it securely but scrape it for marketing purposes. Readers here also know I am a big fan of ProtonMail. This is why I decided to give ProtonMail Premium a try. Continue reading “ProtonMail Premium Review”
In Part I of this series we discussed the principles of rolling your own encrypted email. Part II and Part III covered the installation and setup of the applications needed to make this happen. Today we will begin talking about how to actually use all this “stuff”. Installing the programs are the easiest parts of this process, but using it isn’t as daunting as it was just a few years ago. Hopefully you have been using Thunderbird over the past week and have some comfort level with it. To begin using it to send and receive encrypted email, you will need someone to practice with. This is a good reason and a good strategy to encourage others to use encryption!
I haven’t written much about data backups here before, but they are incredibly important. Everyday, run-of-the-mill data loss can range from frustrating to devastating. In the midst of a natural disaster the impact of personal data loss may be compounded as you are trying to deal with much more basic needs. I am proud to be a guest on the In The Rabbit Hole Urban Survival Podcast this week (the episode will air today and can be found here). Aaron and I talked about backing up the documents you may need to have on hand in an emergency, or what I call the “Bugout Backup”. I also mentioned how to store and protect this information with encryption. Our first topic was why having this information is important.
In the last part of this installment we discussed importing mail into the Thunderbird mail client. Now that our email has been taken out of the browser, we can begin adding the cryptographic elements. The first of these is GPG (Gnu Privacy Guard). GPG is an open source implementation of PGP. It will provide the actual encryption used for our emails. The next step is to install an add-on to Thunderbird called Enigmail. Enigmail will provide the interface, allowing Thunderbird to use GPG’s encryption. Installing and setting up GPG and Enigmail is the first order of business in this post.
Different operating systems require different versions of GPG. If you are using Windows you will install GPG4Win. If you are using OS X you will install GPG Suite. If you are using Linux, you can probably skip this step because GPG comes standard with most distros. If you do need to download it you can do so here. After you have downloaded the application, begin the setup process. You will be prompted to provide your administrator password and select a language. After you have done so you should see screens depicted in the following screenshots.
On the third screen you will be asked which components of GPG you wish to install. I generally choose to make my installation as light as possible. I uncheck everything except “GnuPG” and the “Compendium”. The other components provide powerful capabilities, but they are superflous for our purposes.
The next step is to install Enigmail. Since it is only a extension to Thunderbird this is an easy installation. First, open Thunderbird. Next, click the hamburger icon, and then click “Add-ons”.
CREATING A KEY PAIR WITH GPG AND ENIGMAIL
With GPG and Enigmail installed, you are ready to begin creating your key(s). When Thunderbird restarts the Enigmail Setup Wizard will begin walking you through the process of key generation. This is not an overly complicated process, and Enigmail will automate most of it. With the “Start setup now” radio button checked, click “Next”.
On the next screen select “I prefer an extended configuration”. On the next screen check “I want to create a new key pair for signing and encrypting my email”. The next screen will prompt you to enter a password. I recommend that you take some time to enter a good password. This password can never be changed, so take the time now. After clicking the “Next” the key generation process will begin.
After the keys have been generated you will be prompted to generate a Revocation Certificate. A revocation certificate allows you to revoke your keys if they are compromised in the future (leading to compromise of communications encypted with them). This ensures that if you lose control of your private key you can still maintain control of the communications. We will discuss how to revoke a certificate in a future post on the topic. Ensure you store the revocation certificate in a secure location.
Now that we have installed GPG and Enigmail and setup a keypair, we are ready to being exchanging encrypted emails. We will cover this in the next segment, so stay with me!
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.
This is the second in a multi-part series on setting up your own email encryption. Today we will cover installing and setting up Mozilla Thunderbird. Thunderbird is a desktop mail client that allows you to access your email from a platform other than the browser. This is a necessary step because of the vulnerabilities inherent in internet browsers. Thunderbird is popular (I am far from the first person to post a Thunderbird tutorial) and capable. For our purposes it will be used to remove email (and crypto) from the browser into a more secure environment. Continue reading “DIY Encrypted Email 2: Thunderbird”
As promised in my post on email threat models, today I am going to begin a series on DIY encrypted email. As I discussed in the email threat modeling post, this is the most secure email encryption available. Before we get into the “how to” portion of this, it is important to first understand asymmetric encryption. Email encryption relies on a wholly different encryption model than that used to protect data-at-rest. Encrypting email and web traffic relies on asymmetric encryption (also known as public key cryptography). One of the classic problems with encryption for communications is “key exchange”. It would be simple to encrypt a PDF and email it to someone. However, it would be difficult to exchange the password for that file without sending it unencrypted. Sending it plaintext leaves the password vulnerable to interception. This compromises the integrity of the entire system. But there is a better way. Continue reading “DIY Encrypted Email 1: The Basics”
In a continuation of my suite on threat modeling, this post will address email threat modeling specifically. Selecting an email provider (or set of email providers) can be difficult if privacy and security are your chief concerns. Gmail is abyssmal when it comes to privacy, but even paid providers struggle to match its security. Selecting an email provider for sensitive communications should be done based on your threat model(s), and you may end up maintaining several accounts for different purposes. It is my hope that these threat models will provide some clarity into what threat(s) each email provider defends you against. I also hope this helps you choose a setup that you are comfortable with. Continue reading “Email Threat Models”
My favorite encrypted email service, ProtonMail has moved into a new phase in its beta rollout. Last week ProtonMail rolled out beta version 2.0. The full details can be found on the ProtonMail blog, but there are several significant upgrades that I would like to point out here.
Encrypted Attachments to Outside Users: ProtonMail now allows you to encrypt attachments and to outside users, not just to other ProtonMail users. This is one of the features I wrote that I would like to see in my last post about ProtonMail (not that I think I had anything to do with the decision to add this feature).
Public Key Download: ProtonMail now offers you the ability to download your public key. This allows you to share it with PGP users, and allows them to send encrypted messages to your ProtonMail account. I also wrote about this last time, but I would still like to see this feature upgraded to allow the import of others’ public keys.
Event Logging: Under ProtonMail’s “Security” tab (in Settings) is an option to log authentication events (logins, logouts, and unsuccessful login attempts). The Advanced Logging feature displays the event, a time and date stamp, and the IP address from which the event occurred, while the Basic Logging only displays the event and a time/date stamp. Event logging can also be disabled completely, allowing you to (theoretically) prevent ProtonMail from recording your login times and IP addresses. According to ProtonMail the event logs are only available in the user’s mailbox, which means they are encrypted.
The most exciting feature won’t be around until a little later this week though: on August 20th ProtonMail will release beta apps for both iOS and Android.
I am very happy to see ProtonMail adding features like these. I would still very much like to have a two-factor authentication option, and I am told that we should expect one late this year. Updates to follow.
I love encrypted email, and I love writing about it. In researching the next book in the Your Ultimate Security Guide series, Your Ultimate Security Guide: iOS, I decided to give Tutanota a try and I’m glad I did.
The name “Tutanota” comes from the Latin words “tuta” (secure) and “nota” (message). Tutanota offers free, end-to-end encrypted email accounts. No personal information at all is required to create an account, and account creation is allowed through the Tor network. Tutanota encrypts your message including the subject line, and any attachments and stores all of your emails in an encrypted state. When you log in with your username and password, an encrypted version of your password is stored on Tutanota’s servers for the duration of your session. If you lose your password it cannot be reset. Tutanota also allows you to send encrypted emails to non-Tutanota users
Tutanota is incredibly streamlined and user-friendly and Tutanota apps are available for both iOS and Android, and Tutanota also offers a premium level of service for €1 per month. Premium accounts offers some expanded functionality including the ability to create and use up to five aliases (alternate email addresses), unlimited outgoing emails (free accounts are capped at 100 per day), and the option to use your own domain. Both free and paid accounts offer only 1Gb of storage but more (up to 1Tb) will be available for purchase soon.
Unfortunately Tutanota lacks several features that most of us have come to expect in an email service. First, it does not allow you to save drafts (and as a result does not have a “Drafts” folder). It also lacks a search function and the ability to assign labels (an important feature for email power-users). Because of this I see it being used only for exchanging encrypted emails and not a day-to-day, Gmail-replacement system.
Though I am a fan of Protonmail and have been using it much longer, I do like the look and feel of Tutanota and will work it into my daily email routine.